https://live.paloaltonetworks.com/t5/general-topics/pa-active-passive-and-cisco-stacking-lacp/m-p/594728#M118375 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/423508891">@K.Mohamed</a></P> <P>&nbsp;</P> <P>thank you for reply.</P> <P>&nbsp;</P> <P>I would configure LACP active on PA as well as Cisco side. I would also recommend to enable the&nbsp;LACP pre-negotiation&nbsp;<A href="https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/high-availability/ha-concepts/lacp-and-lldp-pre-negotiation-for-activepassive-ha" target="_self">LACP and LLDP Pre-Negotiation for Active/Passive HA</A>&nbsp; by selecting check box under: LACP &gt; High Availability Options &gt; Enable in HA Passive State.</P> <P>&nbsp;</P> <P>Kind Regards</P> <P>Pavel</P> Tue, 13 Aug 2024 12:43:56 GMT PavelK 2024-08-13T12:43:56Z https://live.paloaltonetworks.com/t5/general-topics/pa-active-passive-and-cisco-stacking-lacp/m-p/594593#M118340 <P>hello,</P> <P>&nbsp;</P> <P>we have setup Active/ Passive connected with cisco stacking 9500 with four links full-mesh as shown below:</P> <P>&nbsp;</P> <P>Paloalto active:</P> <P>PA(active)&nbsp; AE1 ========= cisco-1 switch (Etherchanel 10)</P> <P>PA(active)&nbsp; AE1 ========= cisco-2 switch&nbsp;(Etherchanel 20)</P> <P>&nbsp;</P> <P>Paloalto Passive:</P> <P>PA(passive)&nbsp; AE1 ========= cisco-1 switch (Etherchanel 10)</P> <P>PA(passive)&nbsp; AE1 ========= cisco-2 switch&nbsp;(Etherchanel 20)</P> <P>=================================================</P> <P>Is the connection and configuration is correct or i should create 2 channels from Paloalto side like this example?</P> <P>&nbsp;</P> Mon, 12 Aug 2024 08:21:51 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-active-passive-and-cisco-stacking-lacp/m-p/594593#M118340 K.Mohamed 2024-08-12T08:21:51Z https://live.paloaltonetworks.com/t5/general-topics/pa-active-passive-and-cisco-stacking-lacp/m-p/594678#M118367 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/423508891">@K.Mohamed</a></P> <P>&nbsp;</P> <P>to me this configuration does not look ideal.</P> <P>&nbsp;</P> <P>You are having 2 ports on PA side in a single port channel group and on Cisco side each port is in different port channel group. With this configuration you might have an issue with Cisco's EtherChannel guard kicking in to take ports into error disabled state.</P> <P>Personally I would configure port channel 10 to Active Firewall and port channel 20 to Passive Firewall.</P> <P>&nbsp;</P> <P>Paloalto active:</P> <P>PA(active) AE1 ========= cisco-1 switch (Etherchanel 10)</P> <P>PA(active) AE1 ========= cisco-2 switch (Etherchanel 10)</P> <P><BR />Paloalto Passive:</P> <P>PA(passive) AE1 ========= cisco-1 switch (Etherchanel 20)</P> <P>PA(passive) AE1 ========= cisco-2 switch (Etherchanel 20)</P> <P>&nbsp;</P> <P>Also, passive Firewall will have data plane interfaces down, so there will not be any passing traffic of this port channel until there is failover event.</P> <P>&nbsp;</P> <P>Kind Regards</P> <P>Pavel</P> <P>&nbsp; &nbsp;</P> Tue, 13 Aug 2024 06:39:11 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-active-passive-and-cisco-stacking-lacp/m-p/594678#M118367 PavelK 2024-08-13T06:39:11Z https://live.paloaltonetworks.com/t5/general-topics/pa-active-passive-and-cisco-stacking-lacp/m-p/594723#M118374 <P>Great,</P> <P>For LACP should be active or Passive ?on cisco and PA,,,</P> <P>&nbsp;</P> <P>Thank you,</P> Tue, 13 Aug 2024 12:32:07 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-active-passive-and-cisco-stacking-lacp/m-p/594723#M118374 K.Mohamed 2024-08-13T12:32:07Z https://live.paloaltonetworks.com/t5/general-topics/pa-active-passive-and-cisco-stacking-lacp/m-p/594728#M118375 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/423508891">@K.Mohamed</a></P> <P>&nbsp;</P> <P>thank you for reply.</P> <P>&nbsp;</P> <P>I would configure LACP active on PA as well as Cisco side. I would also recommend to enable the&nbsp;LACP pre-negotiation&nbsp;<A href="https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/high-availability/ha-concepts/lacp-and-lldp-pre-negotiation-for-activepassive-ha" target="_self">LACP and LLDP Pre-Negotiation for Active/Passive HA</A>&nbsp; by selecting check box under: LACP &gt; High Availability Options &gt; Enable in HA Passive State.</P> <P>&nbsp;</P> <P>Kind Regards</P> <P>Pavel</P> Tue, 13 Aug 2024 12:43:56 GMT https://live.paloaltonetworks.com/t5/general-topics/pa-active-passive-and-cisco-stacking-lacp/m-p/594728#M118375 PavelK 2024-08-13T12:43:56Z